Addressing the Perils of ADFS Publishing with the Barracuda Web Application Firewall

In the past, corporate users could simply “tunnel in” to the corporate network and join to the domain from authorized devices – mainly laptops. But today, mobile and cloud computing have overtaken desktop computing. The brave new BYOD world scorns upon tunnels. Devices not controlled by the IT czar that are overflowing with untrusted apps, cannot be allowed to join the domain, or given full access to the network via VPN tunnels.

Vocabulary that used to be centered on “domain” has shifted to “workplace-joining”, and “federated services”. Enter ADFS that solves key use cases for identity federation across security domains, single sign-on and conditional access control. To support numerous mobile platforms over the Internet, the only option for ADFS services was to use protocols that worked over HTTP. These HTTP-friendly protocols came in the guise of SAML and WS-Fed, etc.

There are two concerning fallouts of this “webification” of access control services. The first is that ADFS is an application available to anyone on the Internet – making it just another HTTP-based web application available at a well-known URL space. The second is that it is a critical access control service directly linked to the AD and this provides a highly attractive attack surface to the black hats.

Microsoft understands this and strongly recommends that ADFS be published through a reverse proxy like their Web Application Proxy (WAP), etc. In our white paper for securely publishing ADFS, we outline why the Barracuda Web Application Firewall provides a superior alternative or add-on to the WAP for publishing ADFS and other Microsoft applications. A stark reinforcement of this value proposition comes from June, 2015’s Microsoft Security Bulletin MS15-062: Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege:

“The vulnerability could allow elevation of privilege if an attacker submits a specially crafted URL to a target site. Due to the vulnerability, in specific situations specially crafted script is not properly sanitized, which subsequently could lead to an attacker-supplied script being run in the security context of a user who views the malicious content.”

This update is rated Important and affects Windows Server 2008, 2008 R2 and 2012. WAP does not provide protection against such attacks embedded inside the HTTP traffic. If WAP is the only gatekeeper you had in your DMZ, your ADFS services were wide open to this and other attacks including the OWASP Top 10.

While kudos must be given to Microsoft in stepping up their security practices over the years, the fact remains that it is one of the most targeted platforms, due to its popularity. Contemplate the following charts from cvedetails that depicts the vulnerabilities in Windows Server 2008 over the years (both WAP and ADFS are roles in Windows Server):

The Barracuda Web Application Firewall is a mature, award-winning, reverse proxy solution that secures this critical attack surface and provides other important benefits, which are summarized below:

Protection against web-based attacks for HTTP and HTTPS traffic

Protection against subtle application-layer DDoS attacks targeted at ADFS and other web apps

Interoperability with ADFS (as well as Azure AD) services using SAML, see our techlib articles for this

A hardened appliance to lock down known and unknown vulnerabilities in Windows Server infrastructure

Load Balancing and high availability in a single appliance

Network isolation of the ADFS server infrastructure

Selective publishing of all web applications

Our field teams have also observed that some organizations prefer deploying ADFS in the cloud to overcome procurement hassles and other red-tape on-premises. The Barracuda WAF is available in the Azure and AWS marketplaces and provides all the above-mentioned benefits in cloud deployments as well.